2
Introduction Last decade has seen an engineering revolution in SAT solving. Can we bring the technology to program analysis? – This talk shows how to do that for predicate abstraction by using off-the-shelf SAT solvers, e.g. Z3 We have developed constraint-based techniques: – Program Verification – Maximally-weak Precondition Inference – Inter-procedural Summary Computation – Inferring the Maximally-general Counterexamples to Safety (i.e. finding the best descriptions of bugs). 2

3
Introduction Last decade has seen an engineering revolution in SAT solving. Can we bring the technology to program analysis? – This talk shows how to do that for predicate abstraction by using off-the-shelf SAT solvers, e.g. Z3 We have developed constraint-based techniques: – Program Verification – Maximally-weak Precondition Inference – Inter-procedural Summary Computation – Inferring the Maximally-general Counterexamples to Safety (i.e. finding the best descriptions of bugs). 3

17
Maximally-weak preconditions Instead of the precondition true as in PV, treat precondition as an unknown PRE Generate constraints as for PVnow in terms of PRE and the unknowns invariant Is Solving these yields a precondition PRE, but not necessarily the maximally-weakest Iteratively, improve the current precondition T by adding the following constraint: T ) PRE Æ : (PRE ) T) 17

19
Experiments: Overview Our benchmarks are academic/small benchmark programs that demonstrate the feasibility of the technique We ran our tool in two modes: program verification and weakest precondition We are able to easily generate disjunctive invariants for which specialized techniques have been proposed earlier We collected three performance statistics: – Time for verification condition generation (weakest precondition over simple paths) – Time for boolean constraint generation (includes the predicate cover operation) – Time for SAT solving (fixed point computation) 19

23
Future Work We are exploring extensions to quantifiers and other analysis problems as future work. We are exploring the scalability of this technique along two directions: – Encodings that yield simpler SAT instances, e.g. exploiting symmetry information for the case of disjunctive solutions – Reducing programmer burden by automatically inferring predicate sets and templates VS 3 : Verification and Synthesis using SMT Solvers http://www.cs.umd.edu/~saurabhs/pacs/ 23